When using OKTA, it is common to have multi-factor authentication enabled to authenticate user accounts. While this works for user accounts, MFA cannot be used for service accounts, as it would require a user prompt/interaction. Further, service accounts are used to authenticate and use vSphere at a pace much greater than a user account.

Because of this, service accounts may fail to authenticate to a vCenter Server that has OKTA configured as identity provider source and MFA enabled.

vCenter Server 7.x

vCenter Server 8.x

OKTA is configured as identity provider for the vCenter Server

Because the service accounts can't effectively use MFA, they must either be configured to bypass MFA, or the application(s) using the service accounts must be written to manually send an authentication API call to vSphere.

Option A) Within OKTA configuration, configure MFA to be bypassed for the service account(s). Please refer to "Bypass MFA for a Specific Set of Users" for detailed instructions.

Option B) Configure the application using the service accounts to send vCenter Server an New-OAuthSecurityContext API call for authentication (see developer information about the API call, here).